Pages

Thursday, June 28, 2012

I was very interested in authentication and bumped against SRP. SRP is a protocol that helps in achieving authentication and is defined at http://srp.stanford.edu/. Since, I did not see any implementation of this in my current fav programming language- Scala, I decided to write a small scala based SRP v6a implementation. The code is hosted on Github at https://github.com/shreyaspurohit/SRPScala and is MIT licensed opensource. Feel free to contribute. I have provided an example implementation using Play 2.0 web framework. This is hosted at http://srp.bitourea.com/. The client is authenticated by server, then client authenticates that its speaking to the right server and finally continues to get the secret page over AES 128bit PBE encrypted channel. Since, just scala server side code is not sufficient- there is also srp.js that tags along for the client side javascript. The code scala and JS is small and can be easily understood. Just implement SRPServer trait and you are good to go. The example play 2.0 app provides a sample implementation- ExampleSRPServer.scala. This uses file for storage, you can use DB or any other destination for storage. The usage of javascript is provided as example in login.scala.html. It shows a very cleanly the data that is exchanged between client and server. This is how the example app works. These are just important code snippets. Look in Github for the complete code.

Server calculates the expected session id. There are some more authentication is real code. If the results are defined then save the current session, return s and bvalStr. Refer to SRP design to understand these parameters.

The server returns the verifier. The server and client have authenticated to each other. K has never been sent over the wire, so we use K as secret key for this session to encrypt data exchange between server and client. This is shown in method- getTheSecretPage() in login.scala.html. On the server side check Auth.scala for AES magic. The enc method on the server side does the job in scala.